A new Florida law has recently been passed requiring all patient information, regardless if it's stored on the cloud or through a third-party computing facility, to be physically kept in the continental United States, its territories, or Canada. This requirement applies to all qualified electronic health records (EHRs) stored using any technology that allows information to be electronically retrieved, accessed, or transmitted.
This law will be reflected in the Florida Electronic Health Records Exchange Act and will take effect on July 1, 2023. It implicates almost all health care providers in Florida who use certified electronic health record technology (CEHRT), including, but not limited to, physicians, chiropractors, acupuncturists, pharmacists, dentists, physical therapists, nurses, licensed nutritionists, licensed clinical laboratory personnel, licensed pharmacies, and certain licensed mental health and substance abuse facilities.
To ensure compliance with Florida's ban on storing patient data overseas, providers subject to this law who are submitting an initial or renewal application for licensure will be required to declare, under penalty of perjury, that they are in compliance and will continue to be so. Non-compliance can result in disciplinary action by the Florida Agency for Health Care Administration (AHCA).
If you are affected by this new law, you should promptly review your contracts and service level agreements with your EHR vendor and any third-party data storage provider to understand their data storage practices. If it is determined that any data is stored outside the continental United States, its territories, or Canada, you should develop a comprehensive data migration plan. This should include choosing a new storage provider that meets the location requirements, planning a data transfer to minimize downtime, and considering data integrity and security during the transition. You should also educate and train your staff on this new data storage requirement, especially those overseeing data handling and management to ensure ongoing compliance.
The information provided in this post is for general informational purposes and not intended as legal advice or legal opinion for any individual matter. Consult your own attorney for any legal advice you may require. If you do not have an attorney and would like to explore a potential engagement for my services, please reach out to me via the contact submission form or by using the contact information provided in my bio.